Kaspersky: “We detect and remediate any malware attack,” even by NSA (Updated)

Firm responds to EFF question about AV cooperation with government surveillance.

Antivirus provider Kaspersky said it has designed its products to detect all malware, even if it's sponsored by the National Security Agency or other government entities under programs espoused to target terrorists or other threats.

"We have a very simple and straightforward policy as it relates to the detection of malware: We detect and remediate any malware attack, regardless of its origin or purpose," officials with the Moscow-based company wrote in a statement issued Wednesday. "There is no such thing as 'right' or 'wrong' malware for us."

"It's imperative that these surveillance tools do not fall into the wrong hands, and that’s why the IT security industry can make no exceptions when it comes to detecting malware," Kaspersky went on to say.

Wednesday's statement is the only one we know of to be issued in response to last month's open letter. This post will be updated if other responses are discovered. Still, other AV providers have already pledged not to let state-sponsored malware pass through their products. In 2012, for instance, F-Secure Chief Research Officer Mikko Hypponen said his company would detect threats even if they were presumed to target rogue nations such as Iran or Sudan.

"We want to detect malware, regardless of its source or purpose," Hypponen wrote in a blog post. "Politics don't even enter the discussion, nor should they. Any malware, even targeted, can get out of hand and cause 'collateral damage' to machines that aren't the intended victim. Stuxnet, for example, spread around the world via its USB worm functionality and infected more than 100,000 computers while seeking out its real target, computers operating the Natanz uranium enrichment facility in Iran. In short, it's our job as an industry to protect computers against malware. That's it."

Update: F-Secure has just posted its response to the open letter. It largely reiterates Hypponen's previous statements by saying the company wouldn't comply with any government request not to detect a specific piece of malware.

"To us, the source of the malware does not come into play when deciding whether to detect malware," CEO Christian Fredrikson wrote in the November 1 letter. "If it's malware, we will protect our customers from it. Our decision-making bols down to a simple question: would our customers want to run this program on their system or not. Obviously the answer for government trojans would be 'No.'"

Promoted Comments

There seems to be a very low probability the NSA or any of 1000 or more government agencies in different countries are likely to lean on AV suppliers to coerce them not to detect signatures of malware they are engineering. This most likely applies even to AV suppliers within the same jurisdiction.

Reason 1 applies to minimising the group on the inside based on need to know. Adding AV staff to this list expands the insider circle and the probability of a leak.

Reason 2 applies to the fact that AV staff will generally be motivated to serve their customers better than whatever spook agency which might try leaning on them.

49 Reader Comments

The truth is, consumer-grade antivirus products can't protect well against targeted malware created by well-resourced nation-states with bulging budgets.(…)We were out of our league, in our own game.

That's more the issue with malware attacks at a government / political level, rather than the suggestion that these companies are selectively targeting malware. The accusation and their obvious response misses the point.

The really juicy attacks are far beyond (or ahead of) the detection resources and capabilities of virus protection software, so these companies instead play a role in the end game and clean up rather than being a reliable line of defence -- or any defence? -- against such attacks.

I think it's just you. Take a look through the comments to the story two weeks ago. A fair number of readers were calling on AV companies to go on record. Now that Kaspersky has done just that, I don't think it's fair to claim it's a marketing strategy.

I think it's just you. Take a look through the comments to the story two weeks ago. A fair number of readers were calling on AV companies to go on record. Now that Kaspersky has done just that, I don't think it's fair to claim it's a marketing strategy.

Look at LavaBit and various email companies that basically sold their services on fear of NSA but then realized that they actually aren't secure and used NSA as an excuse to bail out of their services. Companies are capitalizing on the fear and the leaks, so yes it kind of has become a marketing strategy.

I think it would be downright dangerous for Kaspersky to do any different. What happens if malware suddenly doesn't work as planned and infects many computers, or gets hijacked by a third party? If they and other AV vendors left it out of their protection and it hangs around spreading itself for a few years, who knows what could be done with it if someone else finds a way to control it.

But the reality is that these things get found and discussed pretty openly before figuring out the source. Unless the NSA starts telling Kaspersky what they're putting out there (which they're highly unlikely to do), AV companies will find it and talk about it. Your local terrorist will find a way around it and the average consumer won't know a thing about it.

I like Kaspersky Internet Security, but users should read the details about the extra feature called Cloud protection before enabling it. If you have anything on the computer or are doing anything with the computer that you like to keep private, keep it off. The same probably goes for all cloud based antivirus functionality from companies with offices in the US (or some other countries for that matter).

I think it's just you. Take a look through the comments to the story two weeks ago. A fair number of readers were calling on AV companies to go on record. Now that Kaspersky has done just that, I don't think it's fair to claim it's a marketing strategy.

Ok, but i still think that this :"Antivirus provider Kaspersky has designed its products to detect all malware"Is a bold statement to make, is not?. Is that really possible? It sounds a little bit hyperbole too me. Considering how picky you are with claims made by apple for instance.

And since you cited the AV group letter , if you dig deeper through the links "The letter came amid recent revelations that the NSA has a wide-ranging menu of software exploits at its disposal " -> http://arstechnica.com/security/2013/10 ... e-targets/. You will find that the so called "wide-ranging menu of software exploits" reported is nothing more than a middle-man attack to exploit a very specific vulnerability in a javascript library (god bless javascript for its security) in very specific versions of a very specify open source browser called Firefox.

Now my questions are, can Kaspersky detect and fix web browser vulnerabilities and bugs? Can this kind of "malware" be detected too by Kaspersky? Because i am sure that you do not need Kaspersky for that , as long you use the Tor Bundle correctly with javascript turned off .

But if you are telling me that paying more than $40 for Kaspersky is a better solution than the free available Tor Browser without javascript (whose mission is to protect your anonymity ) to avoid the NSA attack reported by the guardian , then i am going to be a little bit skeptical about that

I...don't even know where to start....pretty much everything you just said is wrong or misconstrued.

I applaud Kaspersky for going on record to say this. I've used Kaspersky on and off for the past 5 years when I've paid for Antivirus. I did this on the theory that they may not be subject to American laws, and further their Russian. I imagine they'd be uncooperative with law enforcement on principal or at the very least demand a significant amount of money for compliance. American law enforcement has been overstepping its' bounds not following proper procedure and obtaining warrants when they should. Now everyone knows Kaspersky won't rollover for government malware!

I think it's just you. Take a look through the comments to the story two weeks ago. A fair number of readers were calling on AV companies to go on record. Now that Kaspersky has done just that, I don't think it's fair to claim it's a marketing strategy.

Ok, but i still think that this :"Antivirus provider Kaspersky has designed its products to detect all malware"Is a bold statement to make, is not?. Is that really possible? It sounds a little bit hyperbole too me. Considering how picky you are with claims made by apple for instance.

And since you cited the AV group letter , if you dig deeper through the links "The letter came amid recent revelations that the NSA has a wide-ranging menu of software exploits at its disposal " -> http://arstechnica.com/security/2013/10 ... e-targets/. You will find that the so called "wide-ranging menu of software exploits" reported is nothing more than a middle-man attack to exploit a very specific vulnerability in a javascript library (god bless javascript for its security) in very specific versions of a very specify open source browser called Firefox.

Now my questions are, can Kaspersky detect and fix web browser vulnerabilities and bugs? Can this kind of "malware" be detected too by Kaspersky? Because i am sure that you do not need Kaspersky for that , as long you use the Tor Bundle correctly with javascript turned off .

But if you are telling me that paying more than $40 for Kaspersky is a better solution than the free available Tor Browser without javascript (whose mission is to protect your anonymity ) to avoid the NSA attack reported by the guardian , then i am going to be a little bit skeptical about that

Oh please. The idea is they don't ignore known malware by request from government agencies. At any one time, no AV will detect all malware.

Kapersky tends to have a lot of false positives. Some legit authors have had to deal with Kapersky to get off their list.

I just run MS essentials. However, I have no email clients on windows boxes. Email is read on a BlackBerry or Linux PC. That just leaves Adobe software and Firefox for vectors on my windows PCs.

"We have a very simple and straightforward policy as it relates to the detection of malware: We detect and remediate any malware attack, regardless of its origin or purpose,"

They didn't mention the FSB or any of the other hundreds of security services around the world because "regardless of origin" covers every single security service, every single lone hacker, every single alien mothership, every other undersea giant robot weapon, every single everything.

But Kaspersky’s rise is particularly notable—and to some, downright troubling—given his KGB-sponsored training, his tenure as a Soviet intelligence officer, his alliance with Vladimir Putin’s regime, and his deep and ongoing relationship with Russia’s Federal Security Service, or FSB.

Kaspersky’s vision for the future of Internet security ... includes requiring strictly monitored digital passports for some online activities and enabling government regulation of social networks to thwart protest movements. “It’s too much freedom there,” Kaspersky says, referring to sites like Facebook. “Freedom is good. But the bad guys—they can abuse this freedom to manipulate public opinion.”

But that is the paradox of Eugene Kaspersky: a close associate of the autocratic Putin regime who is charged with safeguarding the data of millions of Americans; a supposedly-retired intelligence officer....

Quote:

“A substantial part of his company is intimately involved with the FSB,” the tech insider says.

I think it's just you. Take a look through the comments to the story two weeks ago. A fair number of readers were calling on AV companies to go on record. Now that Kaspersky has done just that, I don't think it's fair to claim it's a marketing strategy.

Ok, but i still think that this :"Antivirus provider Kaspersky has designed its products to detect all malware"Is a bold statement to make, is not?. Is that really possible? It sounds a little bit hyperbole too me. Considering how picky you are with claims made by apple for instance.

I paraphrased Kaspersky as saying their AV is designed to detect all malware. Your questions are based on the premise I said they have a 100 percent success rate. I don't see anything bold about a company saying what the objective of their software is.

Quote:

And since you cited the AV group letter , if you dig deeper through the links "The letter came amid recent revelations that the NSA has a wide-ranging menu of software exploits at its disposal " -> http://arstechnica.com/security/2013/10 ... e-targets/. You will find that the so called "wide-ranging menu of software exploits" reported is nothing more than a middle-man attack to exploit a very specific vulnerability in a javascript library (god bless javascript for its security) in very specific versions of a very specify open source browser called Firefox.

"If the target is a high-value one, FoxAcid might run a rare zero-day exploit that it developed or purchased," Schneier wrote. "If the target is technically sophisticated, FoxAcid might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FoxAcid might run an exploit that's less valuable. If the target is low-value and technically sophisticated, FoxAcid might even run an already-known vulnerability."

The fact that the open letter makes no reference to these exploits isn't support they don't exist. It's silly to suggest otherwise.

I'm not sure what your support is for the suggestion that I'm endorsing Kaspersky's AV over any other solution.

There seems to be a very low probability the NSA or any of 1000 or more government agencies in different countries are likely to lean on AV suppliers to coerce them not to detect signatures of malware they are engineering. This most likely applies even to AV suppliers within the same jurisdiction.

Reason 1 applies to minimising the group on the inside based on need to know. Adding AV staff to this list expands the insider circle and the probability of a leak.

Reason 2 applies to the fact that AV staff will generally be motivated to serve their customers better than whatever spook agency which might try leaning on them.

I paraphrased Kaspersky as saying their AV is designed to detect all malware. Your questions are based on the premise I said they have a 100 percent success rate. I don't see anything bold about a company saying what the objective of their software is.

If you or they say that their system is designed to detect all malware, that means the system is designed to detect 100% of the malware. That is what it means, literally . So, that is the level where we must set our expectations, because that is the claim, is not?. That is not the same as saying that their goal is to design a system that detects all malware.

"If the target is a high-value one, FoxAcid might run a rare zero-day exploit that it developed or purchased," Schneier wrote. "If the target is technically sophisticated, FoxAcid might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FoxAcid might run an exploit that's less valuable. If the target is low-value and technically sophisticated, FoxAcid might even run an already-known vulnerability."

The fact that the open letter makes no reference to these exploits isn't support they don't exist. It's silly to suggest otherwise.

I did not say that the FoxAcid do not exist. I was simply asking how the claim made by kaspersky correlates with the links, references and available non speculative information about the NSA exploits of that javascript library in that particular browser. In other words, what a system that detects malware, can do about vulnerabilities in existing software like Firefox with javascript turned on, and help Tor users to preserve their anonymity ?

I'm not sure what your support is for the suggestion that I'm endorsing Kaspersky's AV over any other solution.

What can Kaspersky do to protect the anonymity of Tor users against the efforts of the NSA to unveil their identities ? I think that is a fair question . Or is this just about Kaspersky mentioning the NSA to make themselves look good?

If all they wanted to say is that they do not cooperate with the NSA to bypass malware made by the NSA, well, that is all they have to say. "We do not bypass NSA malware, never did and never will". Nothing else. In fact, i do not see any reason to ask them that question , because so far, there is no indication that the NSA forced some company to inject some vulnerability or malware in their own products . And since this company is Russian, i do not see any basis to ask that.

I paraphrased Kaspersky as saying their AV is designed to detect all malware. Your questions are based on the premise I said they have a 100 percent success rate. I don't see anything bold about a company saying what the objective of their software is.

If you or they say that their system is designed to detect all malware, that means the system is designed to detect 100% of the malware. That is what it means, literally . So, that is the level where we must set our expectations, because that is the claim, is not?. That is not the same as saying that their goal is to design a system that detects all malware.

Seriously? You're whining about an authors interpretation of a statement made by a company on their blog post? If it was true marketing ploy, then the COMPANY would have said "all malware..." If you read the article, the company said "ANY MALWARE". So you're saying that because the author said "all", then you should expect the company to meet that standard--even though the company never made that claim?

So by your reasoning, if an author says (in reference to a brand new car that probably only has about 500 on the road) "The <insert car name here> has never been in an accident," that means that the manufacturer of said car is claiming that their car is 100% accident proof.

"If the target is a high-value one, FoxAcid might run a rare zero-day exploit that it developed or purchased," Schneier wrote. "If the target is technically sophisticated, FoxAcid might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FoxAcid might run an exploit that's less valuable. If the target is low-value and technically sophisticated, FoxAcid might even run an already-known vulnerability."

The fact that the open letter makes no reference to these exploits isn't support they don't exist. It's silly to suggest otherwise.

I did not say that the FoxAcid do not exist. I was simply asking how the claim made by kaspersky correlates with the links, references and available non speculative information about the NSA exploits of that javascript library in that particular browser. In other words, what a system that detects malware, can do about vulnerabilities in existing software like Firefox with javascript turned on, and help Tor users to preserve their anonymity ?

I'm not sure what your support is for the suggestion that I'm endorsing Kaspersky's AV over any other solution.

What can Kaspersky do to protect the anonymity of Tor users against the efforts of the NSA to unveil their identities ? I think that is a fair question . Or is this just about Kaspersky mentioning the NSA to make themselves look good?

If all they wanted to say is that they do not cooperate with the NSA to bypass malware made by the NSA, well, that is all they have to say. "We do not bypass NSA malware, never did and never will". Nothing else. In fact, i do not see any reason to ask them that question , because so far, there is no indication that the NSA forced some company to inject some vulnerability or malware in their own products . And since this company is Russian, i do not see any basis to ask that.

In reference to your question about how Kaspersky (or any other AV company can protect users of TOR or other services), I'd say that when they detect the malware in the wild (using whatever exploits are not known yet), they will take steps to block that malware. Sort of like how Avast will pop up when you visit certain (infected) websites, and scream that your computer is under attack (and that they defended it). In other words, when the AV companies discover the exploit, they will take steps to ensure it doesn't actually infect your computer.

Plus, in reference to TOR, if the NSA is trying to unveil their identities, most likely it's somewhere OUTSIDE of the users computer. Which means that NO antivirus software would be able to stop it--unless it's installed on the NSA's server.

Naturally, these are just my opinions (made without doing any serious research into this subject), so I can be wrong on any and all counts.

There seems to be a very low probability the NSA or any of 1000 or more government agencies in different countries are likely to lean on AV suppliers to coerce them not to detect signatures of malware they are engineering. This most likely applies even to AV suppliers within the same jurisdiction.

Reason 1 applies to minimising the group on the inside based on need to know. Adding AV staff to this list expands the insider circle and the probability of a leak.

Reason 2 applies to the fact that AV staff will generally be motivated to serve their customers better than whatever spook agency which might try leaning on them.

By the logic of your reason 1, the NSA would never lean on, say, the makers of routers or other hardware to put holes in their firewalls. We know that they do. So I would say your reason 1 is proven false. I think you are incorrectly assuming the NSA would have to tell company X that company Y is already on board. They would not.

For your reason 2, you say "will generally be motivated" and I would like to think that's true in general but, given the enthusiasm with which AT&T and Verizon leapt to the NSA's aid, I don't consider that definitive.

For companies in the US, I can certainly imagine the NSA coming up with something like a national security letter, where they are compelled to cooperate and cannot reveal any information about it. For AV companies outside the US, I do think it's unlikely the NSA would lean on them. But if those companies are in allied nations, it's clear the NSA is also willing to take advantage of partnerships and go to the equivalent agency in those nations, and have them do it instead. Kaspersky being in Russia means this is probably not an issue. Would Russia compel them to leave security holes? Perhaps, but I suspect Russia's surveillance net is not as sophisticated as ours. That's not a very strong endorsement though....

There seems to be a very low probability the NSA or any of 1000 or more government agencies in different countries are likely to lean on AV suppliers to coerce them not to detect signatures of malware they are engineering. This most likely applies even to AV suppliers within the same jurisdiction.

Reason 1 applies to minimising the group on the inside based on need to know. Adding AV staff to this list expands the insider circle and the probability of a leak.

Reason 2 applies to the fact that AV staff will generally be motivated to serve their customers better than whatever spook agency which might try leaning on them.

Reason 1(b) applies to maintaining the effectiveness of the malware. To ensure that the malware isn't countered by AV software, all the AV software companies would have be brought into the insider circle. Not all AV software companies are based in the host country and thus no jurisdiction for extra national corporations.

Playing a bit of devil's advocate here: it isn't the AV companies working an intelligence agency we should be worried about, rather the intelligence agencies working inside of an AV company. This would give them early warning on what malware of they crafted has been detected in the wild and the progress of any counter measures before they go public. These companies will occasionally work together on particularly aggressive malware, thus increasing the benefit of an insider.

It would be idiotic of any spy agency to inform AV vendors of their malware as it would vastly increase the number of people who could leak information. The issue is moot though as no one needs to work with an antivirus company to break though it's protection. Signature based detection is utterly broken as the vast majority of malware is now packed by crypting systems that update daily, if not hourly to outpace detections. Heuristic detection is still in it's infancy, and can be defeated by simply having malware programs wait for a few minutes before taking any malicious actions. Until AV companies step up their game, they won't be able to protect you from any 15 year old able to copy and paste some code, let alone the NSA.https://www.youtube.com/watch?v=W_KF-cInj04

There seems to be a very low probability the NSA or any of 1000 or more government agencies in different countries are likely to lean on AV suppliers to coerce them not to detect signatures of malware they are engineering. This most likely applies even to AV suppliers within the same jurisdiction.

Reason 1 applies to minimising the group on the inside based on need to know. Adding AV staff to this list expands the insider circle and the probability of a leak.

Reason 2 applies to the fact that AV staff will generally be motivated to serve their customers better than whatever spook agency which might try leaning on them.

I dunno - the threat of secret rendition, or even an IRS audit, might be enough to overcome Reason 2.

I've been debating which provider to use for a new company-wide antivirus solution. Looks like Kaspersky wins.

Anecdotally, I installed the latest Kaspersky on both Win8 and Win8.1 machines, and there was a noticeable lag in processing time during normal use, more so with 8.1 than 8.0. Too much for me to use it...

I think it's just you. Take a look through the comments to the story two weeks ago. A fair number of readers were calling on AV companies to go on record. Now that Kaspersky has done just that, I don't think it's fair to claim it's a marketing strategy.

This probably isn't exactly the type of marketing you're referring to, but my PC that runs the free version of Avast! Antivirus did in fact have a pop-up a few days ago from the program advertising Avast's VPN, and the tag line read something like, "Protect your connection from spying eyes. We're looking at you, NSA!"

These addresses are where my KAV calls "the cloud" every few minutes and every time I access a web site, all day, every day. Always China first and in the order above . The attempt above is under 5 minutes ago as of this posting. Since I'm in the US and outside DC, I have to wonder if KAV is concerned the NSA malware will interfere with their software or "alert" on the consistent order of the connections.